Bruce Schneier: "We Live in a Feudal Security World"

We pledge our allegiance to the service providers -- the likes of Google, Facebook - and expect them to provide us with security in return -- akin to serfs and peasants paying tribute to their lords in the form of personal data, says Schneier, the author of Liars and Outliers: Enabling the Trust Society Needs to Survive, and chief security technology officer at BT.

"What I am seeing is a shift in power on the internet, that we generally have less control over our IT infrastructure, our products, our user devices, our services. "We basically have to trust our vendors," he says. "We just don't have the ability to control security or configuration the way we did when we owned and controlled the platforms.

"This is very much a feudal model," he says, where users are "pledging their allegiance" to companies like Google with their data.

"They have our calendar, our address book. They have our photos. In return, we are expecting them to protect us." "In some ways, it is a dangerous model because Google really doesn't have a lot of interest in protecting us."

CIO New Zealand interviews Bruce Schneier on the feudal security model and its implications to privacy and security:

In his presentation last week at the RSA Conference in San Francisco, Schneier points out how historically, "disruptive technologies" like the plough, gunpowder, printing press and radio, have upset the power balance, and the internet is no exception.

"Different companies are gaining and losing power," he says. Before, people were worried about Microsoft as the "big company", now their attention is on Amazon, Facebook and Apple.

Traditional models are now breaking because of the rise of devices like the iPhone and Kindle where the vendor controls the device more than you do, he says. At the same time, users of cloud services like Gmail or Flickr do not control the security in these services.

"You get what they provide, that is the new model of security. Someone else is taking care of it," says Schneier.

The tradeoff? "We give up some control and in return we get this very useful service. We have to trust our vendors will protect us, our data will be safe, that governments will not illegally spy on us. "This is our only option," he says. "This model is starting to permeate security today," he says. An advantage is vendors are doing a better job at security, but a disadvantage is you can't audit their security. "Once you pledge allegiance, it will be hard to undo that -- often you can't pull data out of these sites," he says.

Power wielders "Power is power," he says. "Unless we take Draconian measures, our data is no longer under our control." The powerful are trying to steer and succeeding using power to change the rules of the game, he says, from media companies shoring up their copyright claims, or Netflix lobbying to make it easier to use and share data on what movies you like.

"I think this is going to happen more and more as companies get more control of data," he says. With cloud computing where cost of data storage is dropping except for lifecycle maintenance costs, cloud service providers can put computers wherever it is on the planet that is cheapest to maintain them. "We see data disassociated from the devices [from where] we access the data," he says. Debates on the future of the internet are around moral and political issues. "How do you balance privacy with law enforcement needs?"

He poses further questions: "Do we have the right to see data about ourselves, correct it delete it? Do we really want to live in a world that never forgets?

"We live in a world where there is no more forgetting," he says, "we don't know whether it is a good idea or not". The worry is that the powerful are winning the debates, he says.

Sometimes, he says, "we can block actions of the powerful," citing the decision to remove the body scanners producing near-naked images at airports, which users found intrusive.

But these, he says, are the exception. Schneier sees bigger power struggles on the horizon. Feudalism fell out of favour with rise of nation states, he says. "We need something similar to the internet, we want someone to enforce obligations on these companies instead of just giving them rights." He warns that this is going to be a "long and bloody battle".